diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index 922c9c236..89685214b 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}sbin/blkdeactivate profile blkdeactivate @{exec_path} flags=(complain) { include + include @{exec_path} rm, /{usr/,}sbin/dmsetup rPUx, @@ -18,6 +19,10 @@ profile blkdeactivate @{exec_path} flags=(complain) { /{usr/,}bin/sort rix, /{usr/,}bin/umount rPx, + @{sys}/devices/virtual/block/*/holders/ r, + + /dev/tty rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index c4ad09191..481cd52b0 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -23,47 +23,47 @@ profile dkms @{exec_path} flags=(attach_disconnected) { unix (receive) type=stream, @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, - - /{usr/,}bin/head rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/nproc rix, - /{usr/,}bin/mktemp rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cp rix, /{usr/,}bin/cut rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/readlink rix, + /{usr/,}bin/date rix, /{usr/,}bin/diff rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/rmdir rix, + /{usr/,}bin/echo rix, /{usr/,}bin/find rix, + /{usr/,}bin/getconf rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/head rix, + /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/ln rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/make rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/nproc rix, + /{usr/,}bin/pwd rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/rmdir rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/xargs rix, + /{usr/,}bin/{,@{multiarch}-}* rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,g,m}awk rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/date rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/echo rix, - /{usr/,}bin/pwd rix, - /{usr/,}bin/getconf rix, - /{usr/,}bin/xargs rix, + /{usr/,}{,s}bin/update-secureboot-policy rPUx, - /{usr/,}bin/make rix, - /{usr/,}bin/{,@{multiarch}-}* rix, - /{usr/,}lib/gcc/@{multiarch}/[0-9]*/* rix, - /{usr/,}lib/llvm-[0-9]*/bin/clang rix, - - /{usr/,}bin/kmod rCx -> kmod, - /{usr/,}bin/lsb_release rPx -> lsb_release, - - /{usr/,}lib/linux-kbuild-*/scripts/** rix, - /{usr/,}lib/modules/*/build/scripts/** rix, - /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix, + /{usr/,}lib/gcc/@{multiarch}/[0-9]*/* rix, + /{usr/,}lib/linux-kbuild-*/scripts/** rix, + /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix, + /{usr/,}lib/llvm-[0-9]*/bin/clang rix, + /{usr/,}lib/modules/*/build/scripts/** rix, /{usr/,}lib/modules/*/build/tools/objtool/objtool rix, + /var/lib/dkms/**/configure rix, /var/lib/dkms/**/dkms.postbuild rix, / r, @@ -113,6 +113,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, + /etc/depmod.d/{,*} r, + /{usr/,}lib/modules/*/modules.* rw, /var/lib/dkms/**/module/*.ko r, diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm index 409b4e62f..2f038e85d 100644 --- a/apparmor.d/profiles-g-l/lvm +++ b/apparmor.d/profiles-g-l/lvm @@ -14,6 +14,7 @@ profile lvm @{exec_path} flags=(complain) { include capability sys_admin, + capability sys_nice, deny capability net_admin, @{exec_path} rm, @@ -24,8 +25,8 @@ profile lvm @{exec_path} flags=(complain) { @{run}/lock/lvm/* rwk, @{sys}/bus/ r, - @{sys}/devices/virtual/bdi/**/read_ahead_kb r, @{sys}/class/ r, + @{sys}/devices/virtual/bdi/**/read_ahead_kb r, @{PROC}/devices r, owner @{PROC}/@{pid}/cmdline r,